Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Bugging the Bug Market

The Microsoft bug bounty program has been a success so far and the company is looking for new ways to expand it in the future.

PUNTA CANA–The Microsoft bug bounty program, started last year as a way to encourage researchers to develop new offensive and defensive techniques, has been a success so far and the company is looking for new ways to expand it in the future. Katie Moussouris, the security strategist at Microsoft responsible for the program’s creation, said that while rewarding researchers for innovative work was a key goal, causing some turbulence in the vulnerability market was also part of the plan.

Moussouris had been working on the bounty program for some time before she was able to launch it last year, and she had paid close attention to the way that not just other bounty programs work, but also how the legitimate vulnerability market operates. Vulnerability buyers and sellers for years have operated mainly underground, but that has changed in the last couple of years as companies such as VUPEN and others have made bug sales into a booming business. Microsoft’s products always are at the top of the list for both attackers and security researchers, and Moussouris wanted to find a way to get valuable offensive techniques in Microsoft’s hands rather than in the hands of vulnerability brokers or attackers.

“We’re never going to outbid the black market. This is about using existing levers to disrupt the vulnerability economy,” Moussouris said in a talk at the Kaspersky Security Analyst Summit here Monday.

Security researchers who once had limited options for making money from their vulnerability work now have a broad spectrum of choices. Depending on their contacts and other factors, researchers can sell bugs to any number of government agencies, defense contractors or third parties. Bug bounty programs provide another option, but they’re typically far less lucrative. Microsoft wanted to make that option more attractive by offering bounties of up to $100,000 for novel offensive techniques that can bypass the exploit mitigations in the latest version of Windows. The company already has paid one bounty and recently expanded the field of eligible participants to include forensics teams and incident responders.

There are more potential additions to the Microsoft bounty program, Moussouris hinted during her talk, but did not provide any new details.

Moussouris said that the pool of researchers capable of finding qualifying bypass techniques is relatively small, and the subset of that group who are willing to submit them to Microsoft is even smaller.

“There are probably only a thousand people worldwide who could do this kind of work,” she said, “And there’s probably only a few hundred who would work with Microsoft.”

There has been quite a lot of discussion in the security industry about exploit sales and potential regulation of the market. But Moussouris says she thinks that would be a mistake.

“I tell governments that I don’t them to regulate exploits because you’ll blind me,” she said. “You’ll make it so the only way I can find out about new attacks is when they hit customers.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.